Two Frameworks, One Problem: Why the Pall Mall Code of Practice and OWASP Are Speaking to Each Other Without Knowing It — And What Happens When They Do
CYBER GOVERNANCE & SECURE DEVELOPMENT
The Pall Mall Code of Practice governs states and surveillance vendors. OWASP governs developers and applications. Neither was designed with the other in mind. Together, they represent the most complete picture of what responsible cyber intrusion capability governance could actually look like — if anyone connected the dots.
By The CyberDiplomat | June 2026
Two Documents, Two Worlds
In April 2025, 25 nations signed the Pall Mall Code of Practice — a framework co-led by France and the United Kingdom to govern the development, sale, and use of commercial cyber intrusion capabilities. It operates at the level of states and surveillance vendors. Its four pillars are accountability, precision, oversight, and transparency. It is voluntary, non-binding, and largely silent on technical implementation.
In a parallel world, the Open Web Application Security Project (OWASP) publishes and maintains the Mobile Application Security Verification Standard (MASVS) and its companion Mobile Application Security Testing Guide (MASTG) — the industry standard for building and testing secure mobile applications. It operates at the level of developers, security testers, and engineering teams. Its control groups cover storage, cryptography, authentication, network communications, platform interaction, code quality, and privacy. It is technical, granular, and entirely silent on geopolitics.
These two frameworks do not reference each other. They were not designed with each other in mind. They address the same underlying problem — the exploitation of mobile devices by intrusive software — from opposite ends of the telescope: one from 30,000 feet of international diplomacy, the other from the ground level of a code review.
Understanding both, and the gap between them, is one of the most practically useful things a developer, a policymaker, or a security professional can do in 2026.
What the Pall Mall Code of Practice Actually Says
The Pall Mall Process Code of Practice has four pillars for the responsible use of commercial cyber intrusion capabilities: accountability, establishing clear responsibility for misuse; precision, limiting use to clearly defined targets; oversight, implementing independent review and enforcement mechanisms; and transparency, making practices and policies publicly understandable.
The Code is a voluntary non-binding agreement establishing best practices among governments in relation to the development, facilitation, purchase, transfer, and use of commercial cyber intrusion tools and services. It primarily aims to tackle the misuse of powerful cyber tools sold on the open market — tools often developed by private companies and exploited by state and non-state actors to surveil journalists, human rights defenders, and political opponents.
The Pall Mall Process goes beyond spyware to encompass the entire ecosystem of commercial cyber intrusion capabilities, including malware-as-a-service, access-as-a-service, and hacking-for-hire arrangements.
What the Code does not do is specify technical controls. It does not say what a responsible commercial surveillance tool must or must not do at the code level. It does not define what "precision" means in terms of software permissions. It does not describe what "accountability" looks like in terms of audit logs, data retention policies, or access controls. It does not translate its four pillars into anything a developer could implement or a security auditor could test.
As one cybersecurity expert put it plainly: "Unfortunately, without more teeth — some actual law or mandate — it's mostly just great guidance."
That gap — between the political principle and the technical implementation — is precisely where OWASP lives.
What OWASP MASVS Actually Says
The OWASP Mobile Application Security Verification Standard is the industry standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of results. The standard is divided into control groups covering the most critical areas of the mobile attack surface: MASVS-STORAGE for secure storage of sensitive data; MASVS-CRYPTO for cryptographic practices; MASVS-AUTH for authentication and session management; MASVS-NETWORK for secure network communications; MASVS-PLATFORM for secure interaction with the mobile platform; MASVS-CODE for software engineering and coding best practices; and MASVS-PRIVACY for privacy controls to protect user privacy.
The OWASP Mobile Application Security Testing Guide complements the MASVS with a comprehensive testing manual covering the processes, techniques, and tools used during a mobile app security test, alongside a comprehensive set of test cases enabling testers to deliver consistent and complete results.
The MASVS-PRIVACY control group is particularly significant in the context of surveillance technology. It requires that applications collect only the data they need, that users be informed about data collection, that sensitive data not be exfiltrated without consent, and that the application's behaviour be transparent and auditable.
These are not abstract principles. They are testable, verifiable, enforceable controls. A developer can implement them. An auditor can check them. A regulator can reference them.
Where Pall Mall and OWASP Overlap — And Where They Diverge
Mapping the Pall Mall pillars against the OWASP MASVS control groups reveals both genuine alignment and significant gaps.
Accountability → MASVS-CODE and MASVS-PLATFORM
Pall Mall's accountability pillar calls for clear responsibility for misuse, including supply chain accountability and due diligence procedures. OWASP's MASVS-CODE addresses software engineering practices including third-party library management, code review processes, and binary protections. MASVS-PLATFORM covers how applications interact with the underlying operating system — including what permissions they request, how they handle inter-application communication, and whether they can be abused by or alongside other applications.
The overlap is real but partial. Pall Mall's accountability is organisational and legal — who is responsible when something goes wrong. OWASP's accountability is technical — whether the code is auditable and whether the software supply chain is clean. Both are necessary. Neither alone is sufficient.
Precision → MASVS-PRIVACY
Pall Mall's precision pillar requires that commercial cyber intrusion capabilities be used only against clearly defined, lawfully authorised targets — not deployed broadly or indiscriminately. OWASP's MASVS-PRIVACY requires that applications collect minimal data, clearly define their data processing purposes, and not access device capabilities beyond what their stated function requires.
This is the closest point of convergence between the two frameworks. A spyware tool that indiscriminately harvests all data from a device violates both Pall Mall's precision requirement and OWASP's MASVS-PRIVACY controls. A developer building surveillance software to MASVS-PRIVACY standards would, in practice, be building something closer to what Pall Mall's precision pillar demands.
Oversight → MASVS-STORAGE and MASVS-CRYPTO
Pall Mall's oversight pillar calls for independent review mechanisms, audit capabilities, and enforcement that can verify whether tools are being used as authorised. OWASP's MASVS-STORAGE requires that sensitive data be stored securely, and MASVS-CRYPTO requires that all cryptographic implementations meet current standards.
For oversight to be meaningful in a technical context, there must be logs, and those logs must be protected and auditable. OWASP provides the technical controls for that. Pall Mall provides the institutional framework for who reviews those logs and what happens when they reveal misuse. Again: both are necessary, neither alone is sufficient.
Transparency → MASVS-NETWORK and MASVS-CODE
Pall Mall's transparency pillar requires that vendors and states make their practices publicly understandable — including what data is collected, how tools are used, and what human rights safeguards are in place. OWASP's MASVS-NETWORK requires that all network communications be encrypted and that certificate validation be properly implemented. MASVS-CODE addresses whether the application's behaviour can be reverse-engineered and audited.
Here the divergence is sharpest. Pall Mall's transparency is political and reputational — publish a transparency report, submit to independent audit, describe your human rights compliance programme. OWASP's transparency is technical — does the code communicate over secure channels and can its behaviour be verified? A vendor can publish a glossy transparency report while the underlying application obscures its data transmission in five layers of obfuscation. OWASP would catch the obfuscation. Pall Mall would not.
The Critical Gap: What Pall Mall Does Not Address That OWASP Does
Beyond the pillar-level mapping, there are several areas where OWASP addresses concrete technical risks that the Pall Mall Code of Practice does not touch at all.
Zero-click exploit delivery. The most dangerous modern spyware — Pegasus, Graphite — delivers itself to target devices without any user interaction. This exploits vulnerabilities in operating system components, messaging applications, and browser rendering engines. OWASP's MASTG covers testing for these classes of vulnerability and provides guidance on hardening applications against exploitation. Pall Mall has no equivalent technical guidance — it speaks to the legality and authorisation of deployment, not the technical mechanism of infection.
Third-party SDK surveillance. A growing category of privacy violation involves legitimate applications that include advertising or analytics SDKs which function as passive surveillance infrastructure — collecting location data, contact lists, browsing behaviour, and device identifiers without the primary application's explicit design intent. OWASP's MASVS-PRIVACY and MASTG testing for third-party libraries directly addresses this. Pall Mall does not contemplate the SDK supply chain as a vector at all.
Data minimisation and purpose limitation. OWASP's MASVS-PRIVACY requires that applications collect only what they need for their stated function. This principle — known in data protection law as data minimisation — is foundational to GDPR, to the UN Human Rights Committee's guidelines on surveillance, and to the technical concept of "precision" in Pall Mall's framework. Yet Pall Mall nowhere translates its precision requirement into a data minimisation obligation for the software itself.
Reverse engineering protections and auditability. One of the documented tactics of commercial spyware vendors is designing their software to resist forensic analysis — making it harder for researchers like Citizen Lab to detect and document deployments. OWASP's MASVS-CODE and MASTG address both sides of this: how to build software that can be audited, and how to test whether software has been designed to resist auditing. Pall Mall's transparency pillar could logically mandate auditability, but makes no technical specification in that direction.
What the Industry Guide Should Actually Look Like: Bridging the Frameworks
The next step for the Pall Mall Process — as noted by participants in Paris — is to establish parallel guidance for industry alongside the state-focused Code of Practice. That guidance does not need to be invented from scratch. It should be built on the technical foundation that OWASP has already spent years developing.
Here is what a bridge document between Pall Mall and OWASP would need to specify:
1. Mandatory MASVS-PRIVACY compliance for commercial cyber intrusion tools Any organisation developing commercial surveillance software seeking to operate in Pall Mall-signatory markets should be required to demonstrate compliance with OWASP MASVS-PRIVACY controls as a baseline condition of market access. This translates Pall Mall's precision pillar into a testable, auditable technical requirement.
2. MASTG-based third-party audit as a licensing condition The Pall Mall Code calls for oversight mechanisms. Operationally, this should mean mandatory third-party security audits using OWASP MASTG methodology before any commercial surveillance tool can be licensed or exported. The MASTG provides the testing framework; Pall Mall provides the institutional authority to require it.
3. SDK supply chain disclosure Commercial surveillance tools must disclose all third-party SDKs and libraries, with demonstrated MASVS-CODE compliance for each. This closes the supply chain accountability gap that Pall Mall's accountability pillar addresses politically but not technically.
4. Audit log requirements tied to MASVS-STORAGE For Pall Mall's oversight pillar to be meaningful, deployment logs must exist, must be protected to MASVS-STORAGE standards, and must be accessible to the independent review bodies the Code envisions. Without a technical standard for how logs are created and protected, oversight is nominal rather than real.
5. Anti-evasion requirements Any commercial surveillance tool must not include code designed to resist forensic analysis or detection by security researchers. This is the technical expression of Pall Mall's transparency pillar — and it is the requirement most likely to be resisted by vendors whose business model depends on their tools remaining undetectable.
6. Vulnerability disclosure policies The Pall Mall consultation process highlighted well-structured vulnerability disclosure policies as a good practice. OWASP's MASVS-CODE addresses software engineering standards including how vulnerabilities are managed and disclosed. A bridge framework should make coordinated vulnerability disclosure — under OWASP-aligned standards — a mandatory condition of commercial cyber intrusion capability licensing.
Why Developers Should Care About Pall Mall
The audience for the Pall Mall Code of Practice is nominally governments and surveillance vendors. But its implications extend to every developer working on applications that handle sensitive data, communications, or location information.
Spyware such as Pegasus exploits vulnerabilities in legitimate applications — messaging apps, browsers, email clients — to gain initial access to a target device. The security of those legitimate applications is the first line of defence against commercial surveillance tools. A developer who implements OWASP MASVS controls properly is not just building a more secure application. They are actively narrowing the attack surface that commercial spyware depends on.
The principle works in both directions. Pall Mall creates political and legal pressure on surveillance vendors to demonstrate responsible practices. OWASP provides the technical vocabulary and testing methodology to determine whether those practices are genuine. Neither framework can fully achieve its aims without the other.
Conclusion: The Bridge That Needs Building
The Pall Mall Code of Practice is a significant political achievement. It names the problem, assembles a coalition, and establishes principles. Its four pillars — accountability, precision, oversight, and transparency — describe, in diplomatic language, exactly what responsible commercial surveillance would look like.
OWASP MASVS and MASTG are a significant technical achievement. They name the controls, provide the testing methodology, and establish measurable standards. Their control groups — storage, cryptography, authentication, network, platform, code, privacy — describe, in engineering language, exactly what a responsible application looks like.
The gap between them is the gap between knowing what we want and knowing how to build it. That gap is where most governance failures live.
The next Pall Mall conference needs a working group with OWASP representatives in the room. The output should not be another code of practice. It should be a technical annex — a set of mandatory, testable, auditable controls that translate the four pillars into requirements that a developer can implement, a tester can verify, and a regulator can enforce.
Until that bridge is built, the Pall Mall Code of Practice will remain, as one expert described it, "mostly just great guidance." And the spyware industry will continue to operate in the gap between the principle and the specification — which is, and has always been, exactly where it prefers to live.
Quick Reference: Pall Mall ↔ OWASP MASVS Mapping
| Pall Mall Pillar | Closest OWASP Control | Gap |
|---|---|---|
| Accountability | MASVS-CODE, MASVS-PLATFORM | Pall Mall is organisational; OWASP is technical |
| Precision | MASVS-PRIVACY | Strongest overlap; data minimisation bridges both |
| Oversight | MASVS-STORAGE, MASVS-CRYPTO | Pall Mall needs OWASP's audit log standards |
| Transparency | MASVS-NETWORK, MASVS-CODE | Pall Mall's reports don't test for technical obfuscation |
| Not addressed | MASVS-AUTH, MASVS-RESILIENCE | Pall Mall has no equivalent controls |
Sources: French Ministry for Europe and Foreign Affairs, Just Security, CyberScoop, Dark Reading, Malwarebytes, RUSI, ORF America, OWASP MAS Project, Appknox, Guardsquare, GitHub OWASP/MASVS, Cyphere, Aptive.
© The CyberDiplomat, 2026. All rights reserved.
Member discussion